Bates Wells — Response to consultation on the ICO direct marketing code of practice 


Introduction 


Bates Wells is a law firm that provides specialist data protection advice to range of commercial, public 
sector and charity clients. We have the largest dedicated Charity and Social Enterprise team in the 
UK and we act for more UK charities in the top 3,000 (by size) than any other law firm. We regularly 
advise on the law relating to direct marketing and fundraising as the vast majority of our charity clients 
carry out fundraising in some form or other. 


Questions 


1. 


1.1 


1.2 


1.3 


1.4 


The code will address the changes in data protection legislation and the implications 
for direct marketing. What changes to the data protection legislation do you think we 
should focus on in the direct marketing code? 


The key change in legislation will clearly be the impact of the GDPR on direct marketing — 
specifically, issues around the new transparency requirements, the new definition of 
consent, and the application of legitimate interests to marketing activities. 


Transparency and prospective supporters 


It is essential for the subsistence of charities that they are able to maintain and grow a 
supporter base, from which they can fundraise and seek other support. Charity practice 
often involves identifying, in particular, high profile individuals who may have an affinity to 
the charitable cause and in doing so charities may undertake research on potential donors 
and supporters, before ever contacting them. It would be helpful to understand how the ICO 
expects organisations to comply with the one-month deadline for contacting individuals 
under Article 14 of the GDPR in circumstances where they may, after conducting research, 
may not feel it is appropriate to contact them at that time, or choose not to contact that 
individual and instead delete their record. 


Social media 


The ICO’s guidance does not clarify to what extent direct marketing via social media 
constitutes electronic messaging for which consent is required under the law. For instance, 
delivering a targeted advertisement to an individual’s Facebook feed via Facebook’s 
‘Custom Audience’ tool, as against messaging an individual directly via Facebook’s direct 
messaging function — in which circumstances consent would be required. It would also be 
helpful to understand, when consent is required, whether the ICO considers this to be a 
separate ‘channel’ which should be identified in any consent collection statements (i.e. as 
separate to email). 


Soft opt-in 


We would be grateful for clarification on when charities can make use of the soft opt in. We 
have found that some in the sector take the view that it is not open to them, as charities, to 
make use of this. However — in our view, this is likely to be available for many charities’ 
activities such as those selling mechanise via a trading subsidiary, selling tickets to events, 
or providing a service to beneficiaries or professionals. 
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1.5 


3.1 


3.2 


3.3 


3.4 


There also appears to be disparity on the availability of this exemption for fundraising — the 
ICO’s guidance has long treated fundraising as analogous to direct marketing, but a request 
for a donation is not considered a product or service, leaving charities at a disadvantage as 
against commercial organisations. 


Apart from the recent changes to data protection legislation are there other 
developments that are having an impact on your organisation’s direct marketing 
practices that you think we should address in the code? 


YES 
If yes please specify 


Bates Wells acts for a number of charities and not-for-profits. They are affected in particular 
in this area by the impact of the Charities (Protection and Social Investment) Act 2016 which 
introduced requirements to record information about whether a supporter is vulnerable, so 
that it can adequately protect them when undertaking fundraising activity. This has been 
difficult for some to reconcile with the requirements around special category data in the 
GDPR. We wrote a detailed letter on this issue to the ICO on 5 March 2018, a copy of which 
is attached. It would be helpful to obtain the ICO’s view on how charities can validly record 
such data, for example, whether the “substantial public interest” condition under Article 
9(2)(g) GDPR and Schedule 1, Part 2 of the Data Protection Act 2018 could be relied upon 
to process special category data in these circumstances. 


The Fundraising Regulator’s Code of Practice (the Fundraising Code) is currently in the 
process of being updated and has recently been out for consultation. Bates Wells 
responded to that consultation, and an extract of our response is attached. In particular, we 
have identified that the Fundraising Code is not always consistent with the GDPR — using, 
for example, different definitions for terms such as ‘legitimate interests’, and going beyond 
the requirements of GDPR in certain areas. We think there are a number of inconsistencies 
with how the Fundraising Regulator is applying the GDPR in the Fundraising Code. We 
would welcome consistency between the new Fundraising Code and any new direct 
marketing Code so that charities and fundraising organisations have clarity. 


Data protection guidance issued by the Fundraising Regulator in February 2017: 
https://www.fundraisingregulator.org.uk/sites/default/files/2018-07/Personal-info- 
quidance.pdf has also had a significant impact on the charity sector. We would welcome 
the ICO’s clarification on points which appear to contradict with the ICO’s own guidance, for 
example, section A6 (on page 19) specifies that charities could use a thank you 
communication/ acknowledgment of a donation in order to obtain consent to direct 
marketing. This appears to be at odds with the ICO’s view that any communication that 
seeks consent to direct marketing is direct marketing in itself (as seen in the Flybe/ Honda 
decisions). 


We are also regularly asked to advise our clients on what constitutes direct marketing 
versus an administrative communication (which would not require consent to send). There 
are a number of grey areas, especially in relation to “thank you” letters that are sent to 
donors and supporters, as well as event communications, for example when a person has 
signed up to run a marathon in aid of a charity. It would be helpful if the new code could 
include more detailed information and examples on the distinctions between marketing and 
administrative communications. 
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3.5 


5.1 


5.2 


6.1 


7.1 


10. 


10.1 


We have also seen an increase in the use of Facebook and similar products such as 
‘custom audiences’ — and would welcome clarification on the requirements for those using 
such products to target their supporter base. 


We are planning to produce the code before the draft ePrivacy Regulation (ePR) is 
agreed. We will then produce a revised code once the ePR becomes law. Do you 
agree with this approach? 


NO 
If no please explain why you disagree 


The recent changes in data privacy law generally, principally the GDPR, have precipitated a 
huge change for organisations and our clients have committed (appropriately) significant 
resource already to ensuring they are compliant. Having to potentially adapt their marketing 
practices twice within a relatively short period of time to comply with the new Code is likely 
to cause further strain which could potentially be avoided. 


An alternative approach might be to issue interim clarification within ICO guidance of any 
points identified in consultation as needing it, before issuing a Code only when the ePR is 
agreed. 


Is the content of the ICO’s existing direct marketing guidance relevant to the 
marketing that your organisation is involved in? 


YES 

If no what additional areas would you like to see covered? 

n/a 

Is it easy to find information in our existing direct marketing guidance? 
YES 


If no, do you have any suggestions on how we should structure the direct marketing 
code? 


n/a 


Please provide details of any case studies or marketing scenarios that you would like 
to see included in the direct marketing code. 


As discussed above, we would welcome more examples and case studies relating to direct 
marketing and fundraising activities that are undertaken by charities and not-for-profit 
organisations. In particular: 


e the difference between an administrative and direct marketing communication; 
e how charities may lawfully engage with digital marketing, including via social media; and 


e the circumstances in which charities can validly rely on the soft opt-in. 
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11. Do you have any other suggestions for the direct marketing code? 


11.1 We would welcome greater focus on the charity sector and clarity on how the rules apply to 
its practices, such as supporter profiling (discussed above). 


12. Are you answering these questions as: 
other 
(a) If you answered other, please specify: Law firm 
13. Please provide the name of the organisation that you are representing: 


Bates Wells Braithwaite 


14. We may want to contact you about some of the points you have raised. If you are 
happy for us to do this please provide your email address: 
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